Philip Hagen

For Phil Hagen, a career in information security chose him even before the movies War Games and Sneakers spurred his broader interest in the field. Phil has been captivated since the early days, working on information security projects since the mid-1990s, but networking grabbed his attention even before that.

"Since installing a 2400bps modem into an Apple //e around 1988, every computer I've used has been able to communicate with others," he says. "Of course the systems themselves are becoming more and more varied, making network analysis a critical component of the investigative process today."

Phil began his studies at the U.S. Air Force Academy's Computer Science Department, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects.

Today, Phil's career has spanned the full attack life cycle - tool development, deployment, operations, and the investigative aftermath - giving him rare and deep insight into the artifacts left behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. All of that brings Phil to his role today as the DFIR strategist at Red Canary, where he supports the firm's managed threat detection service.

Phil is also a certified instructor for the SANS Institute, and is the course lead and author of FOR572: Advanced Network Forensics and Analysis. This six-day course provides a hands-on curriculum to learn the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing.

"In each class, I take care to explain the relevance of the concepts to cases I've worked and scenarios I've encountered in the past," says Phil. "In FOR572, our classwork and hands-on materials are all taken from real-world experiences and cases. Our week in class is jam-packed and we deliberately focus our attention on adversary behaviors that have been actively observed in the wild."

Phil also spends time developing and maintaining the SOF-ELK distribution, a virtual appliance that is preconfigured with the ELK stack (Elasticsearch, Logstash, and Kibana). "This takes a lot of time investment, but it's very rewarding to hear from the DFIR community at large when they've used SOF-ELK in their own environments and cases to boost efficiency and effectiveness," he says.

Phil has always been a mentor and teacher at heart, and his relationships with former colleagues and students constitute one of his biggest sources of professional pride. "In my previous job at a large defense contractor, I was responsible for managing the entire computer forensic division," says Phil. "The division consisted of many people in various critical roles, including an exceptional team of site managers that I relied heavily on. Years later, I still stay in touch with most of those managers and many other people from the overall team. They have all grown professionally and it's amazing to see what roles they've taken on. It's humbling to see so many people really pursue the trajectory they set for themselves so many years ago."

In one of his most exciting cases, Phil provided forensic examination and overall investigative support to a law enforcement case involving hundreds of millions of dollars of fraudulent transactions committed against victims around the world. The case lasted several years and involved more than a hundred pieces of media from 10 countries, as well as numerous operating systems, filesystems, and criminal actors. With the ultimate arrest of two subjects high up in the organizational "food chain", the investigative team was successful in completely decapitating the fraudulent scheme itself, due to comprehensively scoping the architecture they used.

When he's not cyber-sleuthing and mentoring students, Phil is an avid runner who has completed two half-marathons and dozens of 5k and 10k races. He tries to run every other day even when he's teaching in order to keep his thoughts clear and his brain geared up. "I get 'rungry' (run hungry) when I skip a day," he says. Phil also enjoys craft beer because of the passion and creativity that today's craft brewers put into their product. Wherever he travels he searches out the local favorite to sample.

"Phil Hagen and I have worked very closely together for many years. His understanding of networks, underlying technology, and hacker techniques was critical to many operational successes. Phil managed to begin leading several key operational components while at a defense and intelligence community contractor and was soon running the division with over 85 employees and contracts totaling tens of millions of dollars. Phil has never lost his technical edge and was a key asset while working directly with federal law enforcement tracking organized criminals using cyber as a way to commit financial and credit card attacks." - Rob Lee, SANS Fellow and DFIR Curriculum Lead

"Phil is an incredibly gifted author, instructor, and member of the DFIR team! He is well versed in networking protocols and principles, investigative methodology, and advanced analytical techniques. Phil's teaching skills come from his deep experience in supporting military, government agencies, and Fortune 500 clients over the many years of work in information security. He is able to establish a great rapport with his students and delivers the high-quality classroom experience that SANS attendees have come to appreciate." - Heather Mahalik, Senior Instructor and FOR585 Course Lead